We have several packet decoders that receive traffic from Gigamon. That system has aggregators and taps that feed into it and provide us the raw packet traffic. Our IDS sensors receive the same feeds.
We have reports, fairly consistently (several per week) that an IDS sensor will fire but when SA is used to try to identify the session related to that event, we're unable to find it.
Anyone in the RSA Link universe have tips for tackling this problem? Management wants 100% certainty that our packet decoders have all the traffic that IDS has, but if our feeds are the same the only problem I can see is with SA, but I've investigated the following for each incident.
Checked decoder performance stats (assembler pages, dropped packets, capture rate, pool pages)
Decoder system stats (CPU, memory, disk I/O, network bandwidth)
Reviewed local logs (app and system) for any irregularities
Checked app rules
Checked taps are correct
Checked Gigamon feeds are correct
I just have run out of ideas. No clue how to increase the reliability of our decoder processing.